[status] Investigating: Version 3.7.2 of the popular package `eslint-scope` was published without authorization ( see github.com/eslint/eslint-… This version contained apparently malicious code that attempted to steal npm login tokens. stspg.io/99e856545 [status] Investigating: We continue to work on identifying and notifying affected users.
We believe the vector for this compromise was stolen credentials from one of the authorized publishers of the eslint-scope package. stspg.io/99e856545 [status] Monitoring: To protect potentially compromised accounts, npm is invalidating all npm login tokens created between 2018-07-11 UTC and 2018-07-12 UTC (about 2 hours ago).
A cache that passes through requests for methods it does not understand SHOULD invalidate any entities referred to by the Request-URI.I’d forgot that it wasn’t just on the Request-URI, but this makes total sense; each of these situations results in anything that’s been cached to be invalid, and while you can’t guarantee that all caches around the world will invalidate them, implementations should do what they can (especially browser caches, because it’s likely the user will make more requests soon).Having done some automated browser testing recently, it was easy to whip up a couple of tests for these requirements.I’ve moved all of the caching-related testing into one page; while it uses XMLHttp Request, these results should be valid for most any implementation, as the same cache as the normal browser be used. Safari seems OK for these purposes (even unknown methods), while Firefox gloriously fails all of the invalidation tests.stspg.io/99e856545 [status] Monitoring: Further clarifying: npm will revoke all tokens issued before 2018-07-12 UTC.
If you rolled your tokens after that time you will not need to re-issue them.HOWEVER, I think you use the extensibility of HTTP to do this, either by coming up with a cache-control extension method that overrides the HTTP caching model, or (perhaps more cleanly) defines a new, method-specific cache with its own model.E.g., say that Cache-Control: options-max-age=300 allows you to cache OPTIONS responses in their own cache for 300 seconds, if you know about this extension (implementations that don’t will still do the right thing).[status] Resolved: We have now invalidated all npm tokens issued before 2018-07-12 UTC, eliminating the possibility of stolen tokens being used maliciously.This is the final immediate operational action we expect to take today. stspg.io/99e856545 Thanks to NPMers for their hard work on incident response. A concern: if someone npm updated yesterday, and doesn't run eslint and npm publish until tomorrow, won't this allow the evil version of eslint-scope to snarf their *new* token?So, I think we’re both right; within the confines of HTTP/1.1, as defined by RFC2616, the caching model doesn’t allow you to vary on the request method.